Bug 1576719
Summary: | ECP flow not triggering, instead client access secured resources without ECP authentication | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | bmesegue <bmesegue> | ||||
Component: | mod_auth_mellon | Assignee: | John Dennis <jdennis> | ||||
Status: | CLOSED DUPLICATE | QA Contact: | Scott Poore <spoore> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | unspecified | ||||||
Version: | 7.7 | CC: | bmesegue, cpelland, jhrozek, nkinder, rmarting, spoore | ||||
Target Milestone: | rc | ||||||
Target Release: | --- | ||||||
Hardware: | Unspecified | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | mod_auth_mellon-0.14.0-4.el7 | Doc Type: | If docs needed, set a value | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 1687978 (view as bug list) | Environment: | |||||
Last Closed: | 2019-05-02 13:40:21 UTC | Type: | Bug | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 1687978 | ||||||
Attachments: |
|
In reviewing this I think there may be some confusion over how the ECP flow works. In the how-to-reproduce.txt document in the attachment is this statement: The ECP flow to be tested looks as follows: client --> HTTPD(mellon) --> service But that is not how the SAML ECP flow works. There needs to an intermediary called the ECP client which participates in the flow. Refer to page 14 in this document: https://docs.oasis-open.org/security/saml/v2.0/saml-bindings-2.0-os.pdf If mellon is operating correctly it should respond with a 200 status, content-type of text/xml and the AuthnRequest in the body. The diagnostics shows it's responding with content-type of text/xml as would be expected. This seems to suggest mellon is operating as expected. The receiver of the response is supposed to participate in the ECP flow by forwarding the AuthRequest it received in the response to the IdP. ECP cannot be done with a single curl request as it appears from the expectation in your document. It would be very helpful to know what the body of the response was you got from melllon, it should have been an AuthnRequest but you don't indicate what you actually got back. What did you get back? Hi John, I hope I understood your comments. The curl command mimics/simulates the ECP client. Mellon should respond with the AuthRequest, but it doesn't, that is the problem, the request goes through as if there was no validation to do, it reaches the backend service. You would need to follow the instructions to reproduce the problem to see by yourself the issue. |
Created attachment 1434274 [details] TAR file including resources to reproduce issue Description of problem: The problem observed is that the ECP flow does not trigger and the call goes through giving the client access to the service without undergoing authentication. Version-Release number of selected component (if applicable): 0.11.0 and 0.13.1 How reproducible: Instructions attached in TAR file (how-to-reproduce.txt) Steps to Reproduce: Read instructions on how to reproduce: > how-to-reproduce.txt (attached in TAR file) Actual results: The problem observed is that the ECP flow does not trigger and the call goes through giving the client access to the service without undergoing authentication. Expected results: The expected result would be to obtain a PAOS request from the HTTPD server redirecting the client to the SSO instance to get authenticated. Additional info: The same test has been run using versions of 'mod_auth_mellow' 0.11.0 and 0.13.1 using respectively CentOS-7 and Fedora-26 base images. With close inspections to the HTTPD log files it appears the mod_auth_module identifies the request as an ECP one, then passes the request to the main handler but then it is not getting the expected callback from the main handler. A diagnostics file has been collected and attached to the case, please find it enclosed as: - mellon_diagnostics